JP7378672B2 - Information processing device, information processing method, and information processing program - Google Patents

Description

The present disclosure relates to user authentication using passwords.

There is an authentication system that performs user authentication using a password, as typified by the technology described in Patent Document 1.
In authentication systems that use passwords, in order to force users to use strong passwords, the authentication system often sets a password policy and has the user generate a password according to the password policy. A password policy is a rule for generating passwords. The password policy stipulates, for example, the types of characters that should be used in passwords (``alphabet only'', ``a combination of alphabets and numbers'', etc.), conditions for the number of characters in passwords (``8 characters or more and less than 16 characters'', etc.), etc. .

Japanese Patent Application Publication No. 2007-310515

In conventional authentication systems, the password policy is often displayed on the password registration page (hereinafter simply referred to as the "registration page") where the user registers a password to notify the user of the password policy.
On the other hand, in conventional authentication systems, the password policy is not displayed on the password authentication page (hereinafter simply referred to as the "authentication page") for user authentication using a password.
In this way, in conventional authentication systems, while the password policy is displayed on the registration page, the password policy is not displayed on the authentication page.
Therefore, there is a problem in that the user cannot enter the correct password on the authentication page during authentication, resulting in user authentication failure.

The main purpose of the present disclosure is to solve the above problems. More specifically, the present disclosure primarily aims to enable the user to enter the correct password on the authentication page during user authentication.

The information processing device according to the present disclosure includes:
a policy acquisition unit that acquires a password policy specified in an authentication system that performs user authentication using a password;
The authentication system includes a policy presentation section that presents the password policy acquired by the policy acquisition section to the user when the authentication system receives a password input from the user for the user authentication.

According to the present disclosure, a user can enter a correct password on an authentication page during user authentication.

1 is a diagram showing an example of a system configuration according to Embodiment 1. FIG. 1 is a diagram illustrating an example of a hardware configuration of a user terminal device according to Embodiment 1. FIG. 1 is a diagram illustrating an example of a functional configuration of a policy acquisition device according to Embodiment 1. FIG. 3 is a diagram showing an example of an authentication page according to Embodiment 1. FIG. 3 is a diagram showing an example of a registration page according to Embodiment 1. FIG. 5 is a flowchart illustrating an example of the operation of the policy acquisition device according to the first embodiment. FIG. 3 is a diagram showing an example of an HTML source code of an authentication page according to the first embodiment. 7 is a flowchart showing a registration page acquisition procedure according to the first embodiment. FIG. 3 is a diagram showing an example of HTML source code of a registration page according to the first embodiment. 7 is a flowchart showing a password policy acquisition procedure according to the first embodiment. FIG. 3 is a diagram illustrating an example of an authentication page including a password policy according to the first embodiment. 7 is a flowchart illustrating an example of the operation of the policy acquisition device according to Modification 1 of Embodiment 1. FIG. 7 is a diagram illustrating an example of a registration page according to Modification 2 of Embodiment 1; 7 is a diagram illustrating an example of an error registration page according to Modification 2 of Embodiment 1. FIG. 7 is a diagram illustrating an example of an error registration page according to Modification 2 of Embodiment 1. FIG. FIG. 7 is a diagram showing an example of an HTML source code of a registration page according to Modification 2 of Embodiment 1; 7 is a diagram illustrating an example of a DOM according to a second modification of the first embodiment. FIG. 7 is a diagram illustrating an example of a DOM according to a second modification of the first embodiment. FIG. 7 is a flowchart illustrating an example of the operation of the policy acquisition device according to Modification 2 of Embodiment 1. 7 is a diagram illustrating an example of a DOM according to a second modification of the first embodiment. FIG. 7 is a diagram illustrating an example of a DOM according to a second modification of the first embodiment. FIG. FIG. 7 is a diagram showing an example of an error message according to Modification 2 of Embodiment 1; FIG. 3 is a diagram illustrating an example of a system configuration according to a second embodiment. FIG. 7 is a diagram illustrating an example of a functional configuration of a policy acquisition device according to a second embodiment. 7 is a flowchart showing an example of the operation of the policy acquisition device according to the second embodiment. FIG. 7 is a diagram illustrating an example of a functional configuration of a policy acquisition device according to Modification 1 of Embodiment 2; 7 is a flowchart illustrating an example of the operation of the policy acquisition device according to Modification 1 of Embodiment 2. FIG. 7 is a diagram illustrating an example of a system configuration according to a third modification of the first embodiment. FIG. 7 is a diagram illustrating an example of a system configuration according to a third modification of the first embodiment.

Hereinafter, embodiments will be described using figures. In the following description of the embodiments and drawings, the same reference numerals indicate the same or corresponding parts.

Embodiment 1.
***Explanation of configuration***
FIG. 1 shows an example of a system configuration according to this embodiment.
The authentication system 200 is a server device that performs user authentication using a password. In the authentication system 200, a password policy is defined.
The user terminal device 300 is a terminal device used by a user who is a target of user authentication.
A user terminal device 300 includes a policy acquisition device 100. The policy acquisition device 100 acquires a password policy from the authentication system 200 upon user authentication. The policy acquisition device 100 then presents the acquired password policy to the user.
The policy acquisition device 100 corresponds to an information processing device. Further, the operation procedure of the policy acquisition device 100 corresponds to an information processing method. Further, a program that realizes the operation of the policy acquisition device 100 corresponds to an information processing program.

FIG. 2 shows an example of the hardware configuration of the user terminal device 300 according to this embodiment. Further, FIG. 3 shows an example of the functional configuration of the policy acquisition device 100 according to the present embodiment.
First, an example of the hardware configuration of the user terminal device 300 will be described with reference to FIG. 2.

User terminal device 300 according to this embodiment is a computer.
The user terminal device 300 includes a processor 901, a main storage device 902, an auxiliary storage device 903, a communication device 904, and an input/output device 905 as hardware.
As shown in FIG. 3, the policy acquisition device 100 includes an authentication page acquisition section 101, an authentication page presentation section 102, a registration page acquisition section 103, a policy acquisition section 104, and a policy presentation section 105 as functional configurations.
The functions of the authentication page acquisition unit 101, authentication page presentation unit 102, registration page acquisition unit 103, policy acquisition unit 104, and policy presentation unit 105 are realized by, for example, a program.
The auxiliary storage device 903 stores programs that implement the functions of the authentication page acquisition section 101, authentication page presentation section 102, registration page acquisition section 103, policy acquisition section 104, and policy presentation section 105.
These programs are loaded from the auxiliary storage device 903 to the main storage device 902. The processor 901 executes these programs to operate the authentication page acquisition section 101, authentication page presentation section 102, registration page acquisition section 103, policy acquisition section 104, and policy presentation section 105, which will be described later.
FIG. 3 schematically shows a state in which the processor 901 executes programs that implement the functions of the authentication page acquisition unit 101, authentication page presentation unit 102, registration page acquisition unit 103, policy acquisition unit 104, and policy presentation unit 105. represents.
The user terminal device 300 also includes functions other than the authentication page acquisition section 101, the authentication page presentation section 102, the registration page acquisition section 103, the policy acquisition section 104, and the policy presentation section 105. However, functions other than these authentication page acquisition unit 101, authentication page presentation unit 102, registration page acquisition unit 103, policy acquisition unit 104, and policy presentation unit 105 are not directly related to the description of this embodiment, and therefore will not be described below. , authentication page acquisition section 101, authentication page presentation section 102, registration page acquisition section 103, policy acquisition section 104, and policy presentation section 105 only will be explained.
The communication device 904 is used for the user terminal device 300 to communicate with the authentication system 200.
The input/output device 905 includes, for example, a mouse, a keyboard, and a display.

Next, an example of the functional configuration of the policy acquisition device 100 according to the present embodiment will be described with reference to FIG. 3.

The authentication page acquisition unit 101 acquires an authentication page from the authentication system 200.
Here, the authentication page is a page for the user to enter a password.
The user has registered a password in the authentication system 200 in advance. Since the password registered in the authentication system 200 is a password used for verification, it is called a verification password. Then, during user authentication, the user enters a password on the authentication page. The authentication system 200 performs user authentication by comparing the password entered on the authentication page with the verification password.
An example of the authentication page is shown in FIG. The authentication page shown in FIG. 4 includes an ID input form for inputting the user's ID (Identifier) and a password input form for inputting the user's password.

The authentication page presentation unit 102 presents the authentication page acquired by the authentication page acquisition unit 101 to the user. The authentication page presentation unit 102 displays the authentication page on, for example, the input/output device 905 (display).

The registration page acquisition unit 103 acquires a registration page from the authentication system 200.
Here, the registration page is a page for the user to register a verification password in the authentication system 200.
An example of the registration page is shown in FIG. The registration page in FIG. 5 includes an ID input form for inputting the user's ID and a password input form for inputting the user's password (verification password). Further, the registration page shown in FIG. 5 includes a password policy of "8 or more half-width alphanumeric characters".
The password policy indicates conditions that a verification password registered in the authentication system 200 must satisfy. As a password policy, in addition to "8 or more half-width alphanumeric characters" shown in FIG. 5, "10 or more half-width alphanumeric characters" can be considered. By referring to the password policy shown on the registration page, the user can enter a verification password that matches the password policy.

The policy acquisition unit 104 acquires the password policy included in the registration page acquired by the registration page acquisition unit 103.
Note that the processing performed by the policy acquisition unit 104 corresponds to policy acquisition processing.

The policy presenting unit 105 presents the password policy acquired by the policy acquiring unit 104 to the user when accepting a password input from the user for user authentication. The policy presentation unit 105 displays the password policy on, for example, the input/output device 905 (display).
The processing performed by the policy presentation unit 105 corresponds to policy presentation processing.

***Operation explanation***
FIG. 6 shows an example of the operation of the policy acquisition device 100 according to this embodiment.
Hereinafter, an example of the operation of the policy acquisition device 100 according to the present embodiment will be described with reference to FIG. 6.

First, in step S101, the authentication page acquisition unit 101 acquires an authentication page from the authentication system 200. The method by which the authentication page acquisition unit 101 acquires the authentication page from the authentication system 200 may be any method.
For example, when the authentication system 200 is implemented as a Web system, the authentication page acquisition unit 101 acquires the HTML source code of the authentication page illustrated in FIG. 7 by transmitting an http request.
The following description will be made assuming that the authentication system 200 is implemented as a Web system, and the authentication page acquisition unit 101 acquires the HTML source code illustrated in FIG. 7 by transmitting an http request.

Next, in step S102, the authentication page presentation unit 102 presents the authentication page acquired in step S101 to the user. For example, the authentication page presentation unit 102 displays the authentication page on the input/output device 905 (display).
In this embodiment, the explanation will be given assuming that the authentication page presentation unit 102 analyzes the HTML source code of FIG. 7 and displays the authentication page of FIG. 4 on the display.

Next, in step S103, the registration page acquisition unit 103 searches for a registration page from the authentication system 200 and acquires the registration page from the authentication system 200.
The algorithm for searching and acquiring a registered page by the registered page acquisition unit 103 may be any algorithm.
Generally, the authentication page often includes a link to the registration page. For this reason, it is conceivable to search for a registration page using a link to the registration page within the authentication page.
Here, a "link" is a mechanism for moving to another page within the authentication system 200. A link is composed of a character string to be clicked on a source page (hereinafter referred to as a "link character string") and a page to which the user will be moved when the link character string is clicked (hereinafter referred to as a "destination page"). In this embodiment, the description assumes a web system, so the link is written as "<a href="destination page">link string</a>" in the html source code. . On the display, the link appears as "Register here" shown in FIG.

FIG. 8 shows an example of a procedure for acquiring a registration page from a link to a registration page in an authentication page (registration page acquisition procedure).

In step S201, the registration page acquisition unit 103 acquires all link character strings and destination pages of links included in the authentication page.
The registered page acquisition unit 103, for example, {destination page: top. html, link string: top page}, {destination page: reg. html, link string: Click here to register}.

Next, in step S202, the registered page acquisition unit 103 identifies a link string having a character string pattern used to move to the registered page from the list obtained in step S201, and registers the destination. Get it as a page.
The character string pattern used to move the registration page is, for example, the regular expression ".*(registration|first time).*".
Here, "." indicates any single character, "*" indicates the previous character repeated zero or more times, and "(A|B)" indicates either A or B. In other words, this pattern indicates "any character string containing the word 'registration' or 'first time'".
For example, this pattern is included in link strings such as "Click here to register" and "For first-time users of this site." As a result, in the example shown in step S201, the registered page acquisition unit 103 retrieves {destination page: reg. html, link string: register here} and obtain the destination page "reg.html" as the registered page.
FIG. 9 shows an example of the HTML source code of the acquired registration page.

Returning to the explanation of the flow in FIG. 6.

In step S104, the policy acquisition unit 104 acquires the password policy included in the registration page acquired in step S103.
The algorithm for password acquisition by the policy acquisition unit 104 may be any algorithm.
Password policies are often listed near the password entry form on the registration page. For example, in the example shown in FIG. 5, the password policy "8 or more half-width alphanumeric characters" is written directly below the password input form.

FIG. 10 shows an example of a procedure for acquiring a password policy near a password input form (password policy acquisition procedure).

First, in step S301, the policy acquisition unit 104 identifies the position of the password input form on the registration page. The policy acquisition unit 104 can specify the location of the password input form using any algorithm. For example, in the case of an authentication page generated using an HTML source code, a password input form is generated using an HTML tag of <input type="password">. Therefore, the policy acquisition unit 104 can specify the location of the password input form by searching for the corresponding tag in the HTML source code.

After step S302, the policy acquisition unit 104 extracts character strings included in the registration page in order from the closest to the password input form, and acquires a password policy.
Specifically, the policy acquisition unit 104 performs the following operations.

In step S302, the policy acquisition unit 104 initializes a variable i representing proximity to 1 in order to extract character strings in order from the closest to the password input form.

Next, in step S303, the policy acquisition unit 104 acquires the i-th closest character string S from the password input form. For example, in the example of FIG. 9, the policy acquisition unit 104 acquires the character string "password" when i=1 and "8 or more half-width alphanumeric characters" when i=2.

Next, in step S304, the policy acquisition unit 104 determines whether the character string S acquired in step S303 is a password policy. For example, the policy acquisition unit 104 determines whether or not a password policy pattern prepared in advance matches the character string S acquired in step S303.
The password policy pattern is, for example, the regular expression ".*English.*Character.*". This regular expression means ``a character string that includes ``English'' and ``character''. For example, if the pattern ".*English.*Character.*" is used, and the character string S is "password", the determination result in step S304 will be NO. On the other hand, if the character string S is "8 or more half-width alphanumeric characters", the determination result in step S304 is YES.
If the character string S matches the password policy pattern (YES in step S304), the process advances to step S306. On the other hand, if the character string S does not match the password policy pattern (NO in step S304), the process advances to step S305.

In step S305, the policy acquisition unit 104 increases i by 1 in order to acquire the next character string.

In step S306, the policy acquisition unit 104 acquires the character string S as a password policy.

Returning to the explanation of the flow in FIG. 6.

In step S105, the policy presentation unit 105 displays the password policy acquired in step S104 on the authentication page displayed on the display in step S102.
The policy presentation unit 105 displays the password policy on the authentication page, for example, as shown in FIG.

Here, an example is shown in which after the authentication page is displayed in step S102, the password policy is superimposed and displayed on the authentication page in step S105. Instead, step S102 is omitted, and the policy presentation unit 105 combines the authentication page and the password policy to generate an authentication page including the password policy shown in FIG. 11, and displays this authentication page. Good too.
Further, after the authentication page is displayed in step S102, the policy presentation unit 105 may display only the password policy separately from the authentication page in step S105.

***Explanation of effects of embodiment***
As described above, in this embodiment, the policy acquisition device 100 acquires a password policy and presents the password policy to the user during user authentication. Therefore, according to this embodiment, the user can input the correct password on the authentication page during user authentication.

<Modification 1>
In the first embodiment, as details of step S103 in FIG. 6, an example (FIG. 8) was described in which the registration page acquisition unit 103 acquires a registration page based on a link to the registration page in the authentication page.
However, the authentication page may not include a link to the registration page.
Therefore, in this modification, a procedure for acquiring a registration page when the authentication page does not include a link to the registration page will be described. Specifically, in this modification, the policy acquisition device 100 searches for a registration page using a link derived from a link set on the authentication page.

The system configuration according to this modification is as shown in FIG. Further, an example of the hardware configuration of the user terminal device 300 according to this modification is as shown in FIG. 2. Further, an example of the functional configuration of the policy acquisition device 100 according to this modification is as shown in FIG. 3. Further, in this modification, as details of step S103 in FIG. 6, the operation in FIG. 12 is performed instead of the operation in FIG. 8.
Note that in this modification, differences from Embodiment 1 will be mainly explained.
Note that matters not described below are the same as in the first embodiment.

An example of the operation of the policy acquisition device 100 according to this embodiment will be described with reference to FIG. 12.

First, in step S401, the registered page acquisition unit 103 adds an authentication page to the queue.
Here, the queue is an array that realizes first-in first-out data. A queue in which data X1 and data X2 are stored in the order of data X1 and data X2 is expressed as {X1, X2}. At this time, when data X3 is added to this queue, data X3 is added after data X2. The queue after data X3 is added is expressed as {X1, X2, X3}. When data is extracted from this queue, data X1 stored in the queue first is extracted. As a result, the queue is expressed as {X2, X3}.

Next, in step S402, the registered page acquisition unit 103 acquires one piece of data (page in the authentication system 200) from the queue. Here, the acquired data is referred to as page X. In the first operation of step S402, since the authentication page is stored in step S401, the registration page acquisition unit 103 acquires the authentication page.

Next, in step S403, the registered page acquisition unit 103 determines whether the page X acquired in step S402 is a registered page. The registered page acquisition unit 103 can determine whether page X is a registered page using any algorithm.
For example, the registered page acquisition unit 103 may determine whether page X is a registered page by analyzing whether page X includes the characteristics of a registered page. If the authentication system 200 is a web system, for example, if "the URL of page X includes a word representing a registered page", the registered page acquisition unit 103 determines that page It is determined that In addition, the registration page acquisition unit 103 determines that page X includes the characteristics of a registration page when "the HTML source code of page You may judge.
If page X is a registered page (YES in step S403), the process advances to step S405. On the other hand, if page X is not a registered page (NO in step S403), the process advances to step S404.

In step S404, the registered page acquisition unit 103 adds all the destination pages of the links included in page X to the queue.
If the operation in step S404 is the first time, since page X is an authentication page, the registered page acquisition unit 103 adds all destination pages of links included in the authentication page to the queue. For example, if the authentication page includes links to the top page (top.html) and the inquiry page (mail.html) of the authentication system 200, the registration page acquisition unit 103 may access the top page (top.html) and the inquiry page (mail.html). html and mail. Add html to queue.

In step S405, since page X is a registered page, the registered page acquisition unit 103 acquires page X as a registered page.

In this way, even if the authentication page does not include a link to the registration page, the registration page acquisition unit 103 can follow the steps in FIG. 12 to sequentially follow the links derived from the links set on the authentication page. You can get the registration page.

<Modification 2>
In the first embodiment, as details of step S104 in FIG. 6, an example (FIG. 10) in which the policy acquisition unit 104 acquires a password policy near the password input form on the registration page has been described.
However, the password policy may not be included on the registration page.
Therefore, in this modification, an example will be described in which the password policy can be obtained even if the password policy is not included in the registration page. Specifically, in this modification, the policy acquisition device 100 acquires the password policy using an error message that is presented to the user when an incorrect password that does not match the password policy is input.

The system configuration according to this modification is as shown in FIG. Further, an example of the hardware configuration of the user terminal device 300 according to this modification is as shown in FIG. 2. Further, an example of the functional configuration of the policy acquisition device 100 according to this modification is as shown in FIG. 3. Furthermore, in this modification, as details of step S104 in FIG. 6, the operation in FIG. 19 is performed instead of the operation in FIG. 10.
Note that in this modification, differences from Embodiment 1 will be mainly explained.
Note that matters not described below are the same as in the first embodiment.

If the user enters an incorrect password that does not satisfy the password policy into the password input form on the registration page shown in FIG. 13, an error message is displayed on the registration page as shown in FIGS. 14 and 15.
The example in FIG. 14 shows an error message that is displayed when the user enters an invalid password consisting of only one character. Since a password of 8 or more characters is specified in the password policy, in the example of FIG. 14, an error message is displayed prompting the user to enter a password of 8 or more characters.
The example in FIG. 15 shows an error message that is displayed when the user enters an invalid password consisting only of alphabetic characters. Since a password containing a mixture of letters and numbers is specified in the password policy, in the example of FIG. 15, an error message is displayed prompting the user to enter a password containing a mixture of letters and numbers. Note that in FIGS. 14 and 15, it is assumed that error messages are displayed in red.
Hereinafter, a registration page on which an error message is displayed as a result of inputting an incorrect password into the password input form, as shown in FIGS. 14 and 15, will be referred to as an error registration page.

In this modification, the policy acquisition unit 104 sets an invalid password on the registration page and acquires the error registration page. Then, the policy acquisition unit 104 analyzes the error message included in the error registration page and acquires the password policy. More specifically, the policy acquisition unit 104 sets a plurality of incorrect passwords, each of which does not match the password policy, on a registration page, and obtains a plurality of error registration pages in correspondence with the plurality of incorrect passwords. Then, the policy acquisition unit 104 analyzes a plurality of error messages included in a plurality of error registration pages and acquires a password policy.
The policy acquisition unit 104 can acquire the error registration page using any method. For example, if the authentication system 200 is implemented as a Web system, the policy acquisition unit 104 can acquire the error registration page as a DOM (Document Object Model). Further, the policy acquisition unit 104 may acquire the error registration page as a screen shot of the screen.
Here, the DOM is a code for displaying the status of the registered page on the screen, which is obtained by executing the html source code.
The details of the DOM will be explained below.

For example, in the html source code shown in FIG. 16, the contents to be displayed on the screen are described in the 2nd to 15th lines. Furthermore, in the 16th to 27th lines, it is written that the content displayed on the screen is changed based on the character string input to the password input form. Furthermore, the seventh line describes that a password input form is to be displayed on the screen. Furthermore, in lines 22 to 24, it is determined whether the character string entered in the password input form is less than 8 characters, and if the character string entered is less than 8 characters, an error message is displayed. It is described what to do. Furthermore, on the 10th line, it is written that the error message is to be displayed in red.
When this HTML source code shown in FIG. 16 is executed, in the initial state, no password is entered in the password input form, so the DOM shown in FIG. 17 is generated on the user terminal device 300, and the registration page shown in FIG. 13 is generated. is displayed.
On the other hand, when a password containing only "a" is entered in the password input form of the HTML source code shown in FIG. 16, the DOM shown in FIG. 18 is generated on the user terminal device 300, and the error registration page shown in FIG. 14 is displayed.

FIG. 19 shows details of step S104 in FIG. 6 in the second modification.
An example of the operation of the policy acquisition device 100 according to Modification Example 2 will be described below with reference to FIG. 19.

First, in step S501, the policy acquisition unit 104 generates n character strings S1, S1, . . . , Sn that tend to violate the password policy. The policy acquisition unit 104 generates, for example, a character string with a small number of characters, such as "a", a character string consisting only of alphabetic characters, such as "password", and the like.

Steps S502 to S506 are steps for inputting these character strings S1, S2, . . . , Sn into the password input form and obtaining error registration pages P1, P2, . . . , Pn.

In step S502, the policy acquisition unit 104 sets a counter i to 0 for referencing the character strings S1, S2, . . . , Sn one by one.

Next, in step S503, the policy acquisition unit 104 determines whether i is less than or equal to n.
If the counter i exceeds n, it means that all of the character strings S1, S2, ..., Sn were entered into the password input form, and all of the error registration pages P1, P2, ..., Pn were obtained. .
If the counter i is less than or equal to n (YES in step S503), the process advances to step S504.
On the other hand, if the counter i is not less than or equal to n (NO in step S503), the process advances to step S507.

In step S504, the policy acquisition unit 104 inputs the character string Si into the password input form of the registration page.

In step S505, the policy acquisition unit 104 acquires the error registration page Pi obtained by inputting the character string Si into the password input form of the registration page in step S504.

In step S506, the policy acquisition unit 104 increments the counter i by 1.
After that, the policy acquisition unit 104 performs the processing from step S503 onwards. If the counter i after incrementing by 1 is less than or equal to n (YES in step S503), the policy acquisition unit 104 inputs the next character string into the password input form of the registration page (step S504).

In step S507, the policy acquisition unit 104 acquires the password policy by calculating the difference between the error registration pages P1, P2, . . . , Pn.
The method by which the policy acquisition unit 104 obtains the difference between the error registration pages P1, P2, . . . , Pn will be described below.

Here, it is assumed that error registration pages P1, P2, . . . , Pn are acquired as DOM. In this case, the policy acquisition unit 104 calculates OR(diff(Pi,Pj))(i≠j)=OR(diff(P1,P2),diff(P1,P3),diff(P2,P3),...) You can obtain the password policy by obtaining the .
Here, diff (A, B) is an operation that outputs a partial character string of DOM A that is not included in DOM B. However, if DOM A and DOM B are exactly the same character string, null is output. Furthermore, OR (A, B, C, . . . ) is an operation that outputs a set of values obtained by removing duplicate character strings and nulls from A, B, C, . For example, OR(X, Y, X, null, Z)={X, Y, Z}.

A method for the policy acquisition unit 104 to obtain the difference between error registration pages P1, P2, . . . , Pn will be explained using a specific example.

Here, it is assumed that in addition to the DOM of FIG. 18, the DOM of FIG. 20 and the DOM of FIG. 21 have been acquired. In the following, the DOM in FIG. 18 will be referred to as an error registration page P1. Furthermore, hereinafter, the DOM in FIG. 20 will be referred to as an error registration page P2. Furthermore, below, the DOM of FIG. 21 will be referred to as an error registration page P3.
Note that the DOM in FIG. 18 and the DOM in FIG. 21 are the same. In this way, P1, P2, . . . , Pn may include a plurality of the same DOMs.
By performing a diff operation on P1 to P3, the policy acquisition unit 104 acquires the following.
diff (P1, P2) = Please enter at least 8 characters diff (P1, P3) = null
diff (P2, P1) = Please enter a mixture of alphanumeric characters diff (P2, P3) = Please enter a mixture of alphanumeric characters diff (P3, P1) = null
diff (P3, P2) = Please enter 8 or more characters. Furthermore, by performing an OR operation on the results of the diff operation for P1 to P3, the policy acquisition unit 104 acquires the following.
OR(diff(P1,P2),diff(P1,P3),diff(P2,P3),...)
=OR (Please enter 8 or more characters, null, enter a mixture of alphanumeric characters, etc.)
= {Please enter at least 8 characters, please enter a mixture of alphanumeric characters}
As described above, the policy acquisition unit 104 can acquire {Please input 8 or more characters, Please input a mixture of alphanumeric characters} as the password policy.

Alternatively, if the error registration pages P1, P2, . . . , Pn are acquired as screenshots, the policy acquisition unit 104 can acquire the password policy by performing the following calculation.
OR(OCR(diff_p(Pi, Pj)))(i≠j)=OR(OCR(diff_p(P1, P2)), OCR(diff_p(P1, P3)), OCR(diff_p(P2, P3)), …)
Here, diff(A, B) is an operation that outputs a partial image of screenshot A that is not included in screenshot B. Further, OCR (A) is a calculation that recognizes a character string appearing as an image in screenshot A and outputs it as a character string.

The operation of the policy acquisition unit 104 when a screenshot is used will be explained, focusing on the difference from the operation of the policy acquisition unit 104 when a DOM is used.
Here, it is assumed that the screenshot of FIG. 14 and the screenshot of FIG. 15 have been obtained. The screen shot of FIG. 14 is referred to as error registration page P1. Further, the screenshot of FIG. 15 will be referred to as error registration page P2.
diff_p(P1, P2)=FIG. 22. Also, please enter OCR (diff_p(P1, P2)) with 8 or more characters.
The other operations are the same as those of the policy acquisition unit 104 when DOM is used, so a description thereof will be omitted.

In this way, even if the password policy is not included in the registration page, it is possible to obtain the password policy using the error message that is output when an incorrect password is entered.

<Modification 3>
In the first embodiment, as shown in FIG. 1, an example is shown in which the user terminal device 300 is provided with the policy acquisition device 100. Alternatively, as shown in FIG. 28, the policy acquisition device 100 may be provided in a relay device 400 that relays communication between the authentication system 200 and the policy acquisition device 100. In this case, the policy acquisition device 100 in the relay device 400 receives the authentication page, registration page, and password policy from the authentication system 200 using the same procedure as the policy acquisition device 100 of the first embodiment. Then, the policy acquisition device 100 in the relay device 400 transmits the received authentication page, registration page, and password policy to the user terminal device 300.
Further, the policy acquisition device 100 in the relay device 400 may perform the same operation as the policy acquisition device 100 of the first modification and the second modification.

Further, as shown in FIG. 29, the policy acquisition device 100 may be provided in the authentication system 200. In this case, the policy acquisition device 100 in the authentication system 200 acquires the authentication page, registration page, and password policy using the same procedure as the policy acquisition device 100 of the first embodiment. Then, the policy acquisition device 100 in the authentication system 200 transmits the acquired authentication page, registration page, and password policy to the user terminal device 300.
Further, the policy acquisition device 100 in the authentication system 200 may perform the same operation as the policy acquisition device 100 of the first modification and the second modification.

Embodiment 2.
In the first embodiment, an example has been described in which the policy acquisition device 100 acquires a password policy from the registration page of one authentication system 200 and includes the acquired password policy in the authentication page.
In this embodiment, the policy acquisition device 100 acquires password policies from the registration pages of a plurality of authentication systems 200 according to user specifications. Then, the policy acquisition device 100 lists the acquired password policies of the plurality of authentication systems 200. Then, the policy acquisition device 100 displays a list of password policies of the plurality of authentication systems 200.
More specifically, in this embodiment, a user connects an authentication system 200 for which he wishes to obtain a password policy to a user terminal device 300, for example, {authentication system A, authentication system B, authentication system C, ...}. Specify. The policy acquisition device 100 presents a list of {password policy of authentication system A, password policy of authentication system B, password policy of authentication system C} to the user.

In this embodiment, differences from Embodiment 1 will be mainly explained.
Note that matters not described below are the same as in the first embodiment.

***Explanation of configuration***
FIG. 23 shows an example of a system configuration according to this embodiment.

In this embodiment, the user terminal device 300 is connected to an authentication system 201, an authentication system 202, an authentication system 203, and the like. Then, the policy acquisition device 100 acquires the password policies of each of the authentication system 201, authentication system 202, authentication system 203, etc. according to the user's specifications.
Below, when there is no need to distinguish between the authentication system 201, the authentication system 202, and the authentication system 203, they will be collectively referred to as the authentication system 200.

FIG. 24 shows an example of the functional configuration of the policy acquisition device 100 according to this embodiment.

The authentication system list acquisition unit 106 acquires an authentication system list from the user.
The authentication system list is information in which the authentication systems 200 from which the user desires to obtain a password policy are listed.
List of authentication systems. Any information may be used as long as the authentication system 200 can be identified.
For example, if each authentication system 200 is implemented as a Web system, the authentication system list may be configured with a URL (Uniform Resource Locator) of any one page within each authentication system 200. If the authentication system list is composed of the URL of any one page in each authentication system 200, the authentication system list is {URL of any one page in the authentication system 201, any one page in the authentication system 202 The URL is structured as follows. Specifically, a list of authentication systems is available at {http://www. example. com/top. html, http://www. example. org/sample. html}.

The registration page acquisition unit 103 acquires a registration page from the authentication system 200 shown in the authentication system list.

The policy acquisition unit 104 is the same as that shown in the first embodiment. That is, the policy acquisition unit 104 acquires the password policy included in the registration page acquired by the registration page acquisition unit 103.

The policy recording unit 107 records the password policy acquired by the policy acquisition unit 104.

The policy presenting unit 105 presents a list of multiple password policies recorded in the policy recording unit 107 to the user.

Note that the function of the authentication system list acquisition unit 106 is also realized by a program, similar to the registration page acquisition unit 103 and the like. A program that implements the functions of the authentication system list acquisition unit 106 is executed by the processor 901.
Further, the policy recording unit 107 is realized by the main storage device 902 or the auxiliary storage device 903.

***Operation explanation***
FIG. 25 shows an example of the operation of the policy acquisition device 100 according to this embodiment.
The operation of the policy acquisition device 100 according to this embodiment will be described below with reference to FIG. 25.

In step S601, the authentication system list acquisition unit 106 acquires an authentication system list from the user via the input/output device 905 (mouse, keyboard).
Here, it is assumed that each authentication system 200 is implemented as a Web system, and the authentication system list acquisition unit 106 acquires a URL list of each authentication system 200. It is assumed that the URL list includes n URLs={URL1, URL2, ..., URLn}.
The authentication system list acquisition unit 106 outputs the URL list to the registration page acquisition unit 103.

Steps S602 to S606 are operations for acquiring password policies from each authentication system 200 specified in the URL list acquired in step S601.

In step S602, the registration page acquisition unit 103 initializes a counter i to 1 in order to process the authentication system 200 one by one.

In step S603, the registered page acquisition unit 103 determines whether the counter i is less than or equal to n.
If the counter i exceeds n, it means that password policies have been acquired from all of the n authentication systems 200 specified in the URL list.
If the counter i is less than or equal to n (YES in step S603), the process advances to step S604.
On the other hand, if the counter i is not less than or equal to n (NO in step S603), the process advances to step S608.

In step S604, the registration page acquisition unit 103 acquires the registration page of URLi. The registered page acquisition unit 103 performs the operation shown in FIG. 12 to acquire the registered page of URLi. That is, the registration page acquisition unit 103 replaces the authentication page in FIG. 12 with the URLi page, performs the operation shown in FIG. 12, and acquires the URLi registration page.

In step S605, the policy acquisition unit 104 acquires the password policy written on the registration page acquired in step S603. The policy acquisition unit 104 performs the same operation as step S104 in FIG.

In step S606, the policy recording unit 107 records the password policy acquired in step S605.
For example, if the password policy for URL1 is "8 or more alphanumeric characters," the policy recording unit 107 records it as {URL1: 8 or more alphanumeric characters}. After that, if "16 or more alphabetic characters" is acquired as the password policy for URL2, the password policy for URL2 is added to the password policy for URL1. As a result, the policy recording unit 107 records {URL1: 8 or more alphanumeric characters, URL2: 16 or more alphanumeric characters}.

In step S607, the registration page acquisition unit 103 increments the counter i by 1 in order to perform the next process for the authentication system 200.

In step S608, the policy presenting unit 105 displays a list of n password policies recorded in the policy recording unit 107 on the input/output device 905 (display).
For example, the policy presentation unit 105 displays a display that associates the authentication systems 200 and password policies for a plurality of authentication systems 200, such as {URL1: 8 or more alphanumeric characters, URL2: 16 or more alphanumeric characters, ...}. conduct.

***Explanation of effects of embodiment***
As described above, according to the present embodiment, password policies can be collected from the registration pages of a plurality of authentication systems 200, and a list of password policies of a plurality of authentication systems 200 can be presented to the user.

<Modification 1>
In the second embodiment, the user inputs a list of authentication systems. However, it is time-consuming for users to enter a list of authentication systems. Therefore, it is desirable to save the effort of inputting the authentication system list.
Therefore, in modification example 1, when each authentication system 200 is implemented as a Web system, the policy acquisition device 100 generates a list of authentication systems using a crawler such as a search engine. That is, in modification 1, when the user specifies the service name of the authentication system 200, the policy acquisition device 100 uses a crawler to acquire the URLs of the Web pages of the plurality of authentication systems 200 from the service name specified by the user. This saves the user the trouble of inputting the URLs of the web pages of the plurality of authentication systems 200 as a list of authentication systems.

Note that in this modification, differences from Embodiment 2 will be mainly explained.
Note that matters not described below are the same as in the second embodiment.

FIG. 26 shows an example of the functional configuration of the policy acquisition device 100 according to the first modification.

The access information acquisition unit 108 acquires a list of service names from the user.
The service name list is a list of service names of the authentication system 200 from which the user desires to obtain password policies.
The service name shown in the service name list may be any information as long as it can identify the authentication system 200. The service name is, for example, the name of a company. For example, if the user wishes to obtain the password policy of the authentication system 200 of XYZ Corporation, the user includes the company name "XYZ" in the service name list.
The access information acquisition unit 108 notifies a crawler such as a search engine of each service name shown in the service name list. Then, the access information acquisition unit 108 acquires the URL of the web page for each service name from the crawler as access information for accessing the authentication system 200.
As described above, if "XYZ" is included in the service name list, the access information acquisition unit 108 notifies the crawler of "XYZ". Specifically, the access information acquisition unit 108 instructs the crawler to execute a search using "XYZ" as a search word. As a result, the access information acquisition unit 108 acquires the URL of the web page of XYZ Corporation from the crawler.

Note that the function of the access information acquisition unit 108 is also realized by a program, similar to the registration page acquisition unit 103 and the like. A program that implements the functions of the access information acquisition unit 108 is executed by the processor 901.

Other components shown in FIG. 26 are the same as those shown in FIG. 24. For this reason, these descriptions will be omitted.

FIG. 27 shows an example of the operation of the access information acquisition unit 108.
The operation of the access information acquisition unit 108 will be described below with reference to FIG. 27.

In step S701, the access information acquisition unit 108 acquires a list of service names from the user via the input/output device 905 (mouse, keyboard).

Next, in step S702, the access information acquisition unit 108 notifies the crawler of the service names included in the service name list acquired in step S701, and instructs the crawler to perform a search using the service name as a search word.

In step S703, the access information acquisition unit 108 acquires search results from the crawler, acquires a URL from the search results, and stores the acquired URL in, for example, the main storage device 902 or the auxiliary storage device 903.
Note that in step S703, the access information acquisition unit 108 can acquire the URL from the search results using any method. For example, the access information acquisition unit 108 can acquire the URL that appears first in the search results.
Furthermore, if there is a URL that has been recorded in a previous process, the access information acquisition unit 108 stores the newly acquired URL in addition to the recorded URL. For example, the access information acquisition unit 108 stores a plurality of URLs in a format such as {URL1, URL2, URL3,...}.

In step S704, the access information acquisition unit 108 determines whether URLs have been acquired for all service names included in the service list.
If URLs have been acquired for all service names (YES in step S704), then steps S604, S605, S606, and S608 in FIG. 25 are performed using the acquired URLs. . That is, the policy acquisition unit 104 accesses each authentication system 200 using the acquired URL as access information, and acquires the registration page and password policy from each authentication system 200. Then, the policy presentation unit 105 displays the password policy of each authentication system 200 on the display.
On the other hand, if there is a service name whose URL has not yet been obtained (NO in step S704), the process returns to step S702.

In this way, according to the first modification, the user does not have to input URLs of web pages of multiple authentication systems 200.

Although Embodiment 1 and Embodiment 2 including modified examples have been described above, these embodiments may be implemented in combination.
Alternatively, one of these embodiments may be partially implemented.
Alternatively, these embodiments may be partially combined.
Further, the configurations and procedures described in these embodiments may be changed as necessary.

***Supplementary explanation of hardware configuration***
Finally, a supplementary explanation of the hardware configuration of the user terminal device 300 will be given.
Further, as shown in the third modification of the first embodiment, when the policy acquisition device 100 is provided in the relay device 400 or the authentication system 200, the processor 901 is also provided in the “relay device 400” or the “authentication system 200”. , a main storage device 902, an auxiliary storage device 903, a communication device 904, and an input/output device 905 are provided. In addition, "user terminal device 300" in the following description shall be read as "relay device 400" or "authentication system 200."

A processor 901 shown in FIG. 2 is an IC (Integrated Circuit) that performs processing.
The processor 901 is a CPU (Central Processing Unit), a DSP (Digital Signal Processor), or the like.
The main storage device 902 shown in FIG. 2 is a RAM (Random Access Memory).
The auxiliary storage device 903 shown in FIG. 2 is a ROM (Read Only Memory), a flash memory, an HDD (Hard Disk Drive), or the like.
The communication device 904 shown in FIG. 2 is an electronic circuit that executes data communication processing.
The communication device 904 is, for example, a communication chip or NIC (Network Interface Card).

The auxiliary storage device 903 also stores an OS (Operating System).
At least a portion of the OS is executed by the processor 901.
While executing at least a part of the OS, the processor 901 executes authentication page acquisition section 101, authentication page presentation section 102, registration page acquisition section 103, policy acquisition section 104, policy presentation section 105, authentication system list acquisition section 106, and access information. A program that implements the functions of the acquisition unit 108 is executed.
When the processor 901 executes the OS, task management, memory management, file management, communication control, etc. are performed.
Further, information indicating the results of processing by the authentication page acquisition unit 101, authentication page presentation unit 102, registration page acquisition unit 103, policy acquisition unit 104, policy presentation unit 105, authentication system list acquisition unit 106, and access information acquisition unit 108, Data, signal values, and/or variable values are stored in main memory 902, auxiliary memory 903, registers in processor 901, and/or cache memory.
Further, the programs that realize the functions of the authentication page acquisition unit 101, authentication page presentation unit 102, registration page acquisition unit 103, policy acquisition unit 104, policy presentation unit 105, authentication system list acquisition unit 106, and access information acquisition unit 108 are as follows. The information may be stored in a portable recording medium such as a magnetic disk, flexible disk, optical disk, compact disk, Blu-ray (registered trademark) disk, or DVD. Programs that implement the functions of the authentication page acquisition unit 101, authentication page presentation unit 102, registration page acquisition unit 103, policy acquisition unit 104, policy presentation unit 105, authentication system list acquisition unit 106, and access information acquisition unit 108 are stored. The portable recording medium may be distributed.

In addition, the "parts" of the authentication page acquisition unit 101, the authentication page presentation unit 102, the registration page acquisition unit 103, the policy acquisition unit 104, the policy presentation unit 105, the authentication system list acquisition unit 106, and the access information acquisition unit 108 are replaced with “circuit”. ” or “process” or “procedure” or “processing” or “circuitry”.
Further, the user terminal device 300 may be realized by a processing circuit. The processing circuit is, for example, a logic IC (Integrated Circuit), a GA (Gate Array), an ASIC (Application Specific Integrated Circuit), or an FPGA (Field-Programmable Gate A). rray).
In this case, the authentication page acquisition unit 101, authentication page presentation unit 102, registration page acquisition unit 103, policy acquisition unit 104, policy presentation unit 105, authentication system list acquisition unit 106, and access information acquisition unit 108 are each a processing circuit. realized as part of
Note that in this specification, the general concept of a processor and a processing circuit is referred to as a "processing circuitry."
In other words, a processor and a processing circuit are each specific examples of "processing circuitry."

100 policy acquisition device, 101 authentication page acquisition unit, 102 authentication page presentation unit, 103 registration page acquisition unit, 104 policy acquisition unit, 105 policy presentation unit, 106 authentication system list acquisition unit, 107 policy recording unit, 108 access information acquisition unit , 200 authentication system, 201 authentication system, 202 authentication system, 203 authentication system, 300 user terminal device, 400 relay device, 901 processor, 902 main storage device, 903 auxiliary storage device, 904 communication device, 905 input/output device.

Claims (13)

a policy acquisition unit that acquires a password policy specified in an authentication system that performs user authentication using a password;
a policy presentation unit that presents the password policy acquired by the policy acquisition unit to the user when the authentication system receives a password input from the user for the user authentication;
The policy acquisition unit includes:
From a registration page containing the password policy, which is presented to the user by the authentication system when a verification password that the authentication system checks against the password input during the user authentication is registered in the authentication system. An information processing device that acquires the password policy. The policy acquisition unit includes:
The information processing apparatus according to claim 1, wherein the registration page is searched for using a link set on an authentication page presented to the user by the authentication system during the user authentication. The policy acquisition unit includes:
The information processing apparatus according to claim 2, wherein the registration page is searched using a link derived from the link set on the authentication page. a policy acquisition unit that acquires a password policy specified in an authentication system that performs user authentication using a password;
a policy presentation unit that presents the password policy acquired by the policy acquisition unit to the user when the authentication system receives a password input from the user for the user authentication;
The policy acquisition unit includes:
An information processing device that obtains the password policy using an error message presented to the user by the authentication system when an incorrect password that does not match the password policy is input. The policy acquisition unit includes:
The information processing apparatus according to claim 4, wherein the invalid password is set on a registration page for registering a password, the error message is acquired, and the password policy is acquired using the acquired error message. The policy acquisition unit includes:
A plurality of invalid passwords, each of which does not match the password policy, are set on the registration page, a plurality of error messages are acquired in correspondence with the plurality of invalid passwords, and the acquired error messages are used to implement the password policy. The information processing device according to claim 5, which acquires the information processing device. The policy presentation unit is
5. The information processing apparatus according to claim 1, wherein the password policy is included in an authentication page presented to the user by the authentication system during the user authentication. The policy acquisition unit includes:
Obtain multiple password policies stipulated by multiple authentication systems,
The policy presentation unit is
The information processing apparatus according to claim 1 or 4, wherein each of the plurality of password policies acquired by the policy acquisition unit is presented in association with a corresponding one of the plurality of authentication systems. The information processing device further includes:
an access information acquisition unit that acquires a plurality of pieces of access information for accessing the plurality of authentication systems using a crawler;
The policy acquisition unit includes:
The information processing apparatus according to claim 8, wherein the plurality of authentication systems are accessed using the plurality of access information, and the plurality of password policies are acquired from the plurality of authentication systems. The computer acquires the password policy specified by the authentication system that uses passwords to authenticate users,
When the authentication system receives a password input from a user for the user authentication, the computer presents the acquired password policy to the user, the information processing method comprising:
The computer includes:
From a registration page containing the password policy, which is presented to the user by the authentication system when a verification password that the authentication system checks against the password input during the user authentication is registered in the authentication system. An information processing method for acquiring the password policy. The computer acquires the password policy specified by the authentication system that uses passwords to authenticate users,
When the authentication system receives a password input from a user for the user authentication, the computer presents the acquired password policy to the user, the information processing method comprising:
The computer includes:
An information processing method that obtains the password policy using an error message presented to the user by the authentication system when an incorrect password that does not match the password policy is input. A policy acquisition process that acquires a password policy specified in an authentication system that authenticates users using passwords;
An information processing program that causes a computer to execute a policy presentation process of presenting the password policy acquired by the policy acquisition process to the user when the authentication system receives a password input from the user for the user authentication. There it is,
In the policy acquisition process, the computer:
From a registration page containing the password policy, which is presented to the user by the authentication system when a verification password that the authentication system checks against the password input during the user authentication is registered in the authentication system. An information processing program that causes the password policy to be acquired. A policy acquisition process that acquires a password policy specified in an authentication system that authenticates users using passwords;
An information processing program that causes a computer to execute a policy presentation process of presenting the password policy acquired by the policy acquisition process to the user when the authentication system receives a password input from the user for the user authentication. There it is,
In the policy acquisition process, the computer:
An information processing program that causes the authentication system to obtain the password policy using an error message presented to the user by the authentication system when an incorrect password that does not match the password policy is input.

Images